wolfSSL · padelsbach · Oct 7, 2025 · Aug 22, 2025 · Oct 2, 2025 · Oct 7, 2025
diff --git a/.github/workflows/openssl-version.yml b/.github/workflows/openssl-version.yml
@@ -0,0 +1,81 @@
+name: OpenSSL Version Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  openssl_version_test:
+    name: OpenSSL Version Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    strategy:
+      matrix:
+        wolfssl_ref: ['v5.8.2-stable']
+        openssl_ref: [
+          'openssl-3.0.3',
+          'openssl-3.0.4',
+          'openssl-3.0.5',
+          'openssl-3.0.6',
+          'openssl-3.0.7',
+          'openssl-3.0.8',
+          'openssl-3.0.9',
+          'openssl-3.0.10',
+          'openssl-3.0.11',
+          'openssl-3.0.12',
+          'openssl-3.0.13',
+          'openssl-3.0.14',
+          'openssl-3.0.15',
+          'openssl-3.0.16',
+          'openssl-3.0.17',
+          'openssl-3.1.0',
+          'openssl-3.1.1',
+          'openssl-3.1.2',
+          'openssl-3.1.3',
+          'openssl-3.1.4',
+          'openssl-3.1.5',
+          'openssl-3.1.6',
+          'openssl-3.1.7',
+          'openssl-3.1.8',
+          'openssl-3.2.0',
+          'openssl-3.2.1',
+          'openssl-3.2.2',
+          'openssl-3.2.3',
+          'openssl-3.2.4',
+          'openssl-3.2.5',
+          'openssl-3.3.0',
+          'openssl-3.3.1',
+          'openssl-3.3.2',
+          'openssl-3.3.3',
+          'openssl-3.3.4',
+          'openssl-3.4.0',
+          'openssl-3.4.1',
+          'openssl-3.4.2',
+          'openssl-3.5.0',
+          'openssl-3.5.1']
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Build and test wolfProvider
+        run: |
+          OPENSSL_TAG=${{ matrix.openssl_ref }} \
+            WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
+            ./scripts/build-wolfprovider.sh
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
diff --git a/src/wp_kdf_exch.c b/src/wp_kdf_exch.c
@@ -221,6 +221,54 @@ static int wp_kdf_set_ctx_params(wp_KdfCtx* ctx, const OSSL_PARAM params[])
     return EVP_KDF_CTX_set_params(ctx->kdfCtx, params);
 }
 
+/**
+ * Get the KDF key exchange parameters.
+ *
+ * @param [in]      ctx     KDF key exchange context object.
+ * @param [in, out] params  Array of parameters.
+ * @return  1 on success.
+ * @return  0 on failure.
+ */
+static int wp_kdf_get_ctx_params(wp_KdfCtx* ctx, OSSL_PARAM params[])
+{
+    int ok = 1;
+
+    WOLFPROV_ENTER(WP_LOG_KDF, "wp_kdf_get_ctx_params");
+
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
+    if (ok && !EVP_KDF_CTX_get_params(ctx->kdfCtx, params)) {
+        ok = 0;
+    }
+
+    WOLFPROV_LEAVE(WP_LOG_KDF, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
+    return ok;
+}
+
+/**
+ * Get the list of gettable parameters for a KDF context.
+ *
+ * @param [in] ctx      KDF key exchange context object. Unused.
+ * @param [in] provCtx  Provider context object.
+ * @param [in] kdfName  Name of the KDF.
+ * @return  Array of parameters with data type.
+ */
+static const OSSL_PARAM* wp_kdf_gettable_ctx_params(wp_KdfCtx* ctx,
+    WOLFPROV_CTX* provCtx, const char* kdfName)
+{
+    const OSSL_PARAM* params = NULL;
+
+    (void)provCtx;
+    (void)kdfName;
+
+    if (wolfssl_prov_is_running() && ctx != NULL && ctx->kdfCtx != NULL) {
+        params = EVP_KDF_CTX_gettable_params(ctx->kdfCtx);
+    }
+
+    return params;
+}
+
 /**
  * Return an array of supported settable parameters for the HKDF ke context.
  *
@@ -268,6 +316,32 @@ static const OSSL_PARAM* wp_tls1_prf_settable_ctx_params(wp_KdfCtx* ctx,
     return settable_ctx_params;
 }
 
+/**
+ * Return an array of supported gettable parameters for the HKDF ke context.
+ *
+ * @param [in] ctx      KDF key exchange context object. Unused.
+ * @param [in] provCtx  Provider context object.
+ * @return  Array of parameters with data type.
+ */
+static const OSSL_PARAM* wp_hkdf_gettable_ctx_params(wp_KdfCtx* ctx,
+    WOLFPROV_CTX* provCtx)
+{
+    return wp_kdf_gettable_ctx_params(ctx, provCtx, "HKDF");
+}
+
+/**
+ * Return an array of supported gettable parameters for the TLS1-PRF ke context.
+ *
+ * @param [in] ctx      KDF key exchange context object. Unused.
+ * @param [in] provCtx  Provider context object.
+ * @return  Array of parameters with data type.
+ */
+static const OSSL_PARAM* wp_tls1_prf_gettable_ctx_params(wp_KdfCtx* ctx,
+    WOLFPROV_CTX* provCtx)
+{
+    return wp_kdf_gettable_ctx_params(ctx, provCtx, "TLS1-PRF");
+}
+
 /*
  * HKDF
  */
@@ -292,8 +366,11 @@ const OSSL_DISPATCH wp_hkdf_keyexch_functions[] = {
     { OSSL_FUNC_KEYEXCH_INIT,                (DFUNC)wp_kdf_init               },
     { OSSL_FUNC_KEYEXCH_DERIVE,              (DFUNC)wp_kdf_derive             },
     { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS,      (DFUNC)wp_kdf_set_ctx_params     },
+    { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS,      (DFUNC)wp_kdf_get_ctx_params     },
     { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
                                             (DFUNC)wp_hkdf_settable_ctx_params },
+    { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
+                                            (DFUNC)wp_hkdf_gettable_ctx_params },
     { 0, NULL }
 };
 
@@ -321,8 +398,11 @@ const OSSL_DISPATCH wp_tls1_prf_keyexch_functions[] = {
     { OSSL_FUNC_KEYEXCH_INIT,                (DFUNC)wp_kdf_init               },
     { OSSL_FUNC_KEYEXCH_DERIVE,              (DFUNC)wp_kdf_derive             },
     { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS,      (DFUNC)wp_kdf_set_ctx_params     },
+    { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS,      (DFUNC)wp_kdf_get_ctx_params     },
     { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS,
                                             (DFUNC)wp_tls1_prf_settable_ctx_params },
+    { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS,
+                                            (DFUNC)wp_tls1_prf_gettable_ctx_params },
     { 0, NULL }
 };
 
diff --git a/test/test_ecc.c b/test/test_ecc.c
@@ -1670,8 +1670,10 @@ static int test_ec_pubkey_match_ex(EVP_PKEY *pkey1, EVP_PKEY *pkey2,
 
 static int test_ec_pubkey_match(EVP_PKEY *pkey1, EVP_PKEY *pkey2) {
     int err = 0;
-
+    /* Older versions of OpenSSL use a different format for raw pub key */
+#if OPENSSL_VERSION_NUMBER >= 0x30008000L
     err = test_ec_pubkey_match_ex(pkey1, pkey2, OSSL_PKEY_PARAM_PUB_KEY);
+#endif
     if (err == 0) {
         err = test_ec_pubkey_match_ex(pkey1, pkey2,
                                       OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
@@ -1902,6 +1904,8 @@ static int test_ec_import_priv(void)
             err = 1;
         }
     }
+    /* Older versions of OpenSSL will segfault on this */
+#if OPENSSL_VERSION_NUMBER >= 0x30006000L
     if (err == 0) {
         if (EVP_PKEY_get_octet_string_param(pkey1,
             OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0, (size_t *)&len) != 0) {
@@ -1914,6 +1918,7 @@ static int test_ec_import_priv(void)
             err = 1;
         }
     }
+#endif
 
     EVP_PKEY_free(pkey1);
     EVP_PKEY_free(pkey2);

diff --git a/test/test_hkdf.c b/test/test_hkdf.c
@@ -91,12 +91,12 @@ static int test_hkdf_calc(OSSL_LIB_CTX* libCtx, unsigned char *key, int keyLen,
     return err;
 }
 
-#if OPENSSL_VERSION_NUMBER <= 0x30400000L
-
 static int test_hkdf_double_set_salt(OSSL_LIB_CTX* libCtx, unsigned char *key,
-    int keyLen, const EVP_MD *md, int mode)
+    int keyLen, const EVP_MD *md, int mode, int isOssl)
 {
     int err = 0;
+    int ret = 0;
+    static int osslRet = 0;
     EVP_PKEY_CTX *ctx = NULL;
     unsigned char inKey[32] = { 0, };
     unsigned char salt[32] = { 0, };
@@ -137,18 +137,17 @@ static int test_hkdf_double_set_salt(OSSL_LIB_CTX* libCtx, unsigned char *key,
         }
     }
     if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)) {
-#if OPENSSL_VERSION_NUMBER >= 0x30100000L && \
-    OPENSSL_VERSION_NUMBER != 0x30200050L && \
-    OPENSSL_VERSION_NUMBER != 0x30300040L
-        if (EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0) != 1) {
-#else
-        /* In 3.1.x, the following code was added to hkdf_common_set_ctx_params()
-         * if (p->data_size != 0 && p->data != NULL) {
-         * The above code is not present in 3.2.5 and 3.3.4. */
-        if (EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0) != 0) {
-#endif
-            PRINT_MSG("Failed to set HKDF salt to NULL");
-            err = 1;
+        ret = EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0);
+        if (isOssl) {
+            /* Record return value for whatever version of OpenSSL we are
+             * running against as expected result for next call */
+            osslRet = ret;
+        }
+        else {
+            if (ret != osslRet) {
+                PRINT_MSG("Failed to set HKDF salt to NULL");
+                err = 1;
+            }
         }
     }
     if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)) {
@@ -187,8 +186,6 @@ static int test_hkdf_double_set_salt(OSSL_LIB_CTX* libCtx, unsigned char *key,
     return err;
 }
 
-#endif
-
 static int test_hkdf_md(const EVP_MD *md, int mode)
 {
     int err = 0;
@@ -218,22 +215,22 @@ static int test_hkdf_md(const EVP_MD *md, int mode)
         err = 1;
     }
 
-#if OPENSSL_VERSION_NUMBER <= 0x30400000L
-
     memset(oKey, 0, sizeof(oKey));
     memset(wKey, 0, sizeof(wKey));
 
     if (err == 0) {
         PRINT_MSG("Calc with OpenSSL");
-        err = test_hkdf_double_set_salt(osslLibCtx, oKey, sizeof(oKey), md, mode);
+        err = test_hkdf_double_set_salt(osslLibCtx,
+            oKey, sizeof(oKey), md, mode, 1);
         if (err == 1) {
             PRINT_MSG("FAILED OpenSSL");
         }
     }
 
     if (err == 0) {
         PRINT_MSG("Calc with wolfSSL");
-        err = test_hkdf_double_set_salt(wpLibCtx, wKey, sizeof(wKey), md, mode);
+        err = test_hkdf_double_set_salt(wpLibCtx,
+            wKey, sizeof(wKey), md, mode, 0);
         if (err == 1) {
             PRINT_MSG("FAILED wolfSSL");
         }
@@ -245,8 +242,6 @@ static int test_hkdf_md(const EVP_MD *md, int mode)
         err = 1;
     }
 
-#endif
-
     return err;
 }
 

diff --git a/test/test_rsa.c b/test/test_rsa.c
@@ -1170,7 +1170,9 @@ int test_rsa_fromdata(void* data)
         static const int selections[] = {
             EVP_PKEY_KEYPAIR,
             EVP_PKEY_PUBLIC_KEY,
+#ifdef EVP_PKEY_PRIVATE_KEY
             EVP_PKEY_PRIVATE_KEY, /* added in 3.0.12 and 3.1.4 */
+#endif
         };
 
         /* Parameter data fields */